Reference
Glossary
Identity terms
- Identity
- A named, cryptographically-anchored party in the HexaEight system. Either a user identity (an email address) or an agent identity (a hostname).
- User identity
- An email address authenticated via the HexaEight Authenticator mobile app. Bound to the person, not to a machine.
- Agent identity
- A hostname bound to a specific machine through an activation process. Either a generic auto-generated name (
web0-bliss-cyan-...) or a custom hostname (agent01.acme.com). - Activation
- The one-time process that binds an identity license to a specific machine. Produces
env-fileandhexaeight.mac. - SourceId
- The opaque cryptographic identifier the platform issued at activation. Appears in the wire envelope header so receivers can fetch the matching decryption key.
Messaging terms
- Envelope
- An encrypted message that the SDK produces and consumes. A long opaque string sent over any transport.
- Body
- The plaintext content of a message, inside the encrypted envelope.
- KGT
- Key generation time — a 15-minute time window used to derive shared keys. Encoded in the envelope's wire header.
- Session
- A persistent conversation between two parties identified by a session ID. Lets both sides skip per-message platform calls.
- Final recipient
- A payload claim set by the original sender indicating the intended end recipient when relaying through an intermediary.
- Original sender
- A payload claim set by a relay agent indicating who originally produced a message that the relay is forwarding.
- Multi-party chain
- An ordered list of recipients a message must pass through, each peeling one layer of encryption.
Authorization terms
- Policy
- The full set of rules the SDK evaluates against messages.
- Rule
- A single line in the policy file specifying sender, destination, realm, direction, and effect (allow/deny).
- Realm
- The scope a rule applies in:
default,app:<X>,session:<Y>, oruser:<Z>. - Direction
- Either
inbound(receiving) oroutbound(sending). - Effect
- Either
allowordeny. Deny always wins when multiple rules match. - Bootstrap mode
- The initial state when no rules are configured. Allows all messages until the first rule is added.
- AutoEnforce
- The on/off switch for automatic policy checking on encrypt/decrypt. Default ON.
- Tier 1 / Tier 2 / Tier 3 / Tier 4
- User-level / session-level / app-level / default rules, in increasing order of generality.
Scaling terms
- Swarm
- Multiple machines running the same agent identity, sharing an encrypted policy and coordinating via distributed locks.
- Swarm Key
- A shared secret known to all swarm members. Encrypts the shared policy file and lock files. Separate from any machine's activation password.
- Quorum storage
- The location (file share, cloud storage) where the swarm's shared encrypted state lives. All members must be able to read and write here.
- Distributed lock
- A primitive provided by the SDK that lets one swarm member at a time hold exclusive access to a named resource.
Cryptographic terms
- DDE
- Dead Drop Encryption — the cryptographic primitive HexaEight is built on. Allows two parties to derive a shared key without exchanging public keys.
- ASK
- Asymmetric Shared Key — the result of DDE key derivation. Each side gets its half; the platform never holds the combined key.
- Protection hash
- A SHA-512 hash of the sending application's binary (or URL for browser apps). Carried in the encrypted payload and used by app-level rules.